View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Position Based Cryptography*
Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky
UCLA
CRYPTO ‘09
What constitutes an identity?
• Your public key
• Your biometric
• Email ID
• How about where you are?
PK
zx
y
Geographical Position as an Identity
US Military Base in USA
sk skEncsk(m)
sk
US Military Base in Iraq
Reveal sk or else…..
Geographical Position as an Identity
US Military Base in USA
• We trust physical security
• Guarantee that those inside a particular geographical region are good
US Military Base in Iraq
Geographical Position as an Identity
US Military Base in USA
Enc (m)
Only someone at a particular geographical position can decrypt
US Military Base in Iraq
Other Applications
• Position-based Authentication: guarantee that a message came from a person at a particular geographical position
• Position-based access control: allow access to resource only if user is at particular geographical position
Many more….
Problem (informally)
• A set of verifiers present at various geographical positions in space
• A prover present at some geographical position P
GOAL: Exchange a key with the prover if
and only if prover is in fact at position P
Secure Positioning
• Set of verifiers wish to verify the position claim of a prover at position P
• Run an interactive protocol with the prover at P to verify this
• Studied in the security community [SSW03, B04, SP05, CH05, CCS06]
Previous Techniques for Secure Positioning
Verifier Prover
Random nonce r
r
Time of response
Prover cannot be farther away fromverifier than he claims to be
Triangulation [CH05]
V1
V2 V3
P
r1 r1
r2
r2
r3
r3
3 Verifiers measureTime of response and verify position claim
Triangulation [CH05]Works, but assumes a single adversary
V1
V2 V3
P3P2
P1
r1 r1
r2
r2
r3
r3
Position P
Pi can delay responseto Vi as if it were coming from P
Attack with multiple colluding provers
Talk Outline
Vanilla Model Secure Positioning
- Impossible in vanilla model
- Positive information-theoretic results in the Bounded Retrieval Model
Position-based Key Exchange- Positive information-theoretic results in the
BRM
Vanilla Model
V1
V2 V3
P
• Verifiers can send messages at any time to prover with speed of light
All verifiers sharea secret channel
P3P2
P1
• Multiple, coordinating adversaries, possibly computationally bounded
• Verifiers can record time of sent and received messages
P lies inside Tetrahedron
Lower Bound
Theorem: There does not exist any protocol to achieve secure positioning in the Vanilla model
Corollary: Position-based key exchange is impossible in the Vanilla model
Lower Bound – Proof sketch
V4
V1
V2V3
P1
P2
P4
P3
Position P
• Pj internally delays every msg from Vj and sends msg to Pi
• Blue path not shorter than red path
• Pi can run exact copy of prover and respond to Vi
• Generalization of attack presented earlier
Lower bound implications
• Secure positioning and hence position-based cryptography is impossible in Vanilla model (even with computational assumptions!)
• Search for alternate models where position-based cryptography is possible?
Bounded Retrieval Model (BRM) [Maurer’92, CLW06, Dziembowski06]
• Assumes long string X (of length n and high min-entropy) in the sky or generated by some party
• Assumes all parties (including honest) have retrieval bound βn for some 0<β<1
• Adversaries can retrieve information from X (even possibly after honest parties have used the key generated from X), as long as the total information retrieved is bounded
• Several works have studied the model in great detail
V1
V2
P1
BRM in the context of Position-based Cryptography
P2X
Verifiers can broadcast HUGE X
Like Vanilla Model exceptAdversaries are not
computationally bounded
V3
Adversaries can store only a small f(X) as X
passes by…i.e.(Total |f(X)| <
retrieval bound)
X
Note that Adversaries can NOT “reflect” X
(violates BSM)
Physically realizing BRM
• Seems reasonable that an adversary can only retrieve small amount of information as a string passes by (the string need to not even be super huge for this to hold).
• Verifiers could split X and broadcast the portions on different frequencies.
• The key could tell a prover which frequencies to listen in to.
BSM/BRM primitives needed
• BSM PRG from [Vad04]
• PRG takes as input string X with high min-entropy and short seed K
• PRG(X,K) ≈ Uniform, even given K and A(X) for arbitrary bounded output length function A
Secure Positioning in 1-Dimensional Space
V1 V2
Position P
XK K
K
PRG(X,K)
V1 measures time of responseand accepts if response is correct
and received at the right time
Correctness of protocol follows from 1. Prover at P can compute PRG(X,K)
2. V1 can compute PRG(X,K) when broadcasting X
3. Response of prover from P will be on time
Secure Positioning in 1-Dimensional Space
V1 V2
Position P
XK K
KP1 P2
Can store A(X) Can store K
• P1 can respond in time, but has only A(X) and K• P2 can compute PRG(X,K), but cannot respond in time
Proof Intuition
• First, we will make an UNREASONABLE assumption…
• Then show how to get rid of it!
Secure Positioning in 3-Dimensional Space
Secure Positioning in 3-Dimensional Space
V1
V2V3
V4
Position P
K1
X1
X2
X3
• Prover computes Ki+1 = PRG(Xi, Ki), 1≤ i ≤ 3
• Prover broadcasts K4 to all verifiers
• Verifiers check response & time of response
K4K4K4K4
CHEATING ASSUMPTION:For now, assume Vi
can store X’s!
Secure Positioning in 3-Dimensional Space
• Security will follow from security of position based based key exchange protocol presented later
• What about correctness??
V1
V2V3
V4K1
X1
X2
X3
• Verifiers cannot compute K4 if they don’t store Xi’s
• V3 needs K2 before broadcasting X2 to compute K3
• But, V3 might have to broadcast X2 before or same time as V2 broadcasts X1
K4
Secure Positioning in 3-Dimensional Space
ELIMINATING CHEATING:Protocol when Verifiers cannot store Xi’s
• V1, V2, V3, V4 pick K1, K2, K3, K4 at random before protocol
• Now, Verifiers know K4; they must help prover compute it
• V1 broadcasts K1
• V2 broadcasts X1 and K2’ = PRG(X1,K1) xor K2
• V3 broadcasts X2 and K3’ = PRG(X2,K2) xor K3
• V4 broadcasts X3 and K4’ = PRG(X3,K3) xor K4
Verifiers secret share Kis and broadcast one share according to Xis
Secure Positioning in 3-Dimensional Space
V1
V2V3
V4
Position PK1
X3, K4’
X2, K3’X1, K2’
• Note that provercan compute K4 and broadcast K4
Secure Positioning: Bottom line
• We can do secure positioning in 3D in the bounded storage model
• We can obtain a protocol even if there is a small variance in delivery time when small positioning error is allowed
Information-theoretic Key Exchange in 1-Dimensional Space
V1 V2
Position P
P1 P2
Could not compute key
Could compute key, but cannot respond in time
Secure positioning
Information-theoretic Key Exchange in 1-Dimensional Space
V1 V2
Position P
K1, X2 X1
K3 = PRG(X2, PRG(X1, K1))
P1 P2
Can store A(X2,K1),K1Can store A(X1, K1)
Seems like no adversary can compute PRG(X2, K2)
Intuition works!!
Information-theoretic Key Exchange in 3-Dimensional Space
V1
V2V3
V4
Position PK1,X4
X1, X5 X2
X3
Prover computes
Ki+1 = PRG(Xi, Ki) 1 ≤ i ≤ 5
K6 is final key
Again assume Verifiers can store X’s
Subtleties in proof
V1
V2V3
V4
Position PK1,X4
X1, X5 X2
X3
P1P2
P3
A(X4, K1)
A(X3)
P4
A(X1, A(X3), A(X4, K1))
Proof Ideas
• A lemma ruling out any adversary simultaneously receiving all messages of the verifiers
– Characterizes regions within tetrahedron where position-based key exchange is possible
• Combination of geometric arguments to characterize information that adversaries at different positions can obtain
Part 1: Geometric Arguments
Proof Ideas
Part 2: Extractor Arguments
• Build on techniques from Intrusion-Resilient Random Secret Sharing scheme of Dziembowski-Pietrzak [DP07]
• Show a reduction of the security of our protocol to a (slight) generalization of [DP07] allowing multiple adversaries working in parallel
A REMINDER: Intrusion-Resilient Random Secret Sharing Scheme (IRRSS) [DP07]
S1 S2 S3 Sn
X
1
X
2
X
3
Xn
• K1 is chosen at random and given to S1
• Si computes Ki+1 = PRG(Xi, Ki) and sends Ki+1 to Si+1 • Sn outputs key Kn+1
Bounded adversary can corrupt a sequence of players (with repetition) as long as sequence is valid
Valid sequence does not contain S1,S2,..,Sn as a subsequenceEg: If n = 5; 13425434125 is invalid, but 134525435 is valid
Then, Kn+1 is statistically close to uniform
Reduction to IRRSS
V1
V2
V3
V4
K1,X4
X1, X5
X2
X3
P1P2 A(X4, K1)
P3
A(X1, A(X3), A(X4, K1))
S1 S2 S3 S4
X
2
X
3
X4X
1
S5
X
5
P1: corrupts S4
P2: corrupts S3
P3: corrupts S4, S3, S1
All adversaries given K1 for free
Combining all this,proves the theorem
A(X3)
Conclusions
• WE HAVE SHOWN IN THE PAPER:– Position based Key Exchange in BRM for entire
tetrahedron region (but computational security)– Protocol for position based Public Key Infrastructure– Protocol for position based MPC
• OPEN:– Other models? (we are currently looking at quantum,
seems plausible!)– Other applications of position-based crypto?